I know I can use Quick View from the menu bar in Mac Mail to look at an attachment without opening the email.

Since I have yet to figure out how to get Mail not to open attachments (photos) on its own, is this a way to look at attached photo without opening the message and, more importantly, is this a secure-ish way to deal with attachments? Since, I believe, there's no way to open the email without them opening on their own.

I don't want to delete them (necessarily - and I do know how to remove the attachments and keep the message, but I don't want to do this until I've seen the attachment)

So what do you do about attached photos? No way to open message without the attachment without deleting the attachment (except for what I saw about changing something via Terminal which is probably out-dated info anyway - and you do know me and my terminal-phobia). This: https://www.defaults-write.com/disable- ... s-in-mail/

Am I foolish to be concerned that photos might carry something nefarious?

As a general rule I don't trust any email program enough to auto-open attachments, simply because there's always the chance that a rogue attachment could exploit a vulnerability.

I don't even like email programs to show one or two line previews since the email could be maliciously crafted to exploit a vulnerability that only gets triggered when its opened, and previewing typically counts as opening it.

But I'm pretty cautious. And I don't usually bother to read HTML email. Basically, when it comes to email, I'm a curmudgeon.

As a general rule I don't trust any email program enough to auto-open attachments, simply because there's always the chance that a rogue attachment could exploit a vulnerability.....

So how do you shut off "auto-open in Mail? Oh, you probably don't use Mail! or you do the terminal thing I cited above?(Is iMessage as vulnerable? We use that too but only for a few friends and family who also have iPhones.)I only open emails from addresses I recognize, but even so, you never know...

Allowing remote images to load can tip off a spammer that you've opened their mail, and they know they can keep at it. By itself, so long as you do not open attachments from unknown senders--and even there be very careful, since the email account of someone you know may have been hacked--simply opening an email should not expose you to any risk, and not alert a spammer that you've opened it. I will do this for spam in order to view the raw headers. Opening a malicious attachment can get you deep into big trouble.

Also be careful opening forwarded messages. I don't always trust those I know to use all that much discretion in what they choose to forward.

The first thing to do in Apple Mail is to disable remote images, in Preferences->Viewing.

Already done - thanks - it kept my setting from Snow.

WZZZ wrote:

Allowing remote images to load can tip off a spammer that you've opened their mail, and they know they can keep at it.

I hadn't realized the thinking behind this - thanks for the explanation. I do load remote images for something like a shipping notice for an order from (say) a company I'm dealing with.

WZZZ wrote:

By itself, so long as you do not open attachments from unknown senders--and even there be very careful, since the email account of someone you know may have been hacked--simply opening an email should not expose you to any risk...

Yes - but my worry was about those emails I get (from friends so not much of a worry) where the photo is open and staring at me without my doing anything.

That's why I wondered if .jpg or other photo types can contain issues on their own, or if the worry is just those attachments that contain links. I'm also thinking of things like the .exe files that (only ? Windows) folks worry about.Or emojis that are just there. Or sometimes those companies that attach a tiny logo (a gif perhaps?) following their signature.

WZZZ wrote:

...I will do this for spam in order to view the raw headers. Opening a malicious attachment can get you deep into big trouble.

Also be careful opening forwarded messages. I don't always trust those I know to use all that much discretion in what they choose to forward.

I don't even see the messages in my phishing or SPAM list beyond the quarantine list as I attached above. If I think it might be a legit message that got quarantined by mistake, I can view it in my webmail without actually opening it in mail.

I've wondered/worried about this for a long time, but that DropBox malware article and my "new" Mail app got me wondering anew.

Yeah, I don't use Mail. I have to support others who use Mail. That's all the exposure I need.

I was thinking about this the other day. When I come home the biggest relief I have is that everything just works. No problems. When things go wrong I get whiny and petulant. But I just talk to the systems.

Joined: Sun Apr 20, 2008 5:24 amPosts: 9743Location: North of the State of Jefferson

I'm not fond of Mail for many reasons, but have to use it on at least one computer. The precaution I take with it, and all other email programs I use, is to disable all remote content as expertly described by WZZZ.

I also don't open attachments that I don't expect to receive, doubly so anything that looks like a file that requires a specific program to open (Word/Excel/PowerPoint files, etc). General JPEG/PNG attachments are pretty safe barring yet another horrible image parsing vulnerability. PDFs aren't images, despite sometimes being treated as such, and I would be a little surprised if there aren't more PDF parser/display vulnerabilities in OS X. (I mean, the bloody PDF ISO 32000-1 standard is 756 pages long -- implement that in C without making a mistake! Fortunately Adobe publishes a supplementary 1300 page document to shed some light on accepted standard document itself.)

I also make sure the Finder shows all filename extensions, so that after downloading or saving a file I am not deceived in to opening something like woodenhorse.jpg.app thinking it's a JPEG.

There there could also be a problem with the email programs message parser, but there's only so much you can do short of manually downloading the messages over telnet and deciphering their content by hand. If the generic message parser

Emojis are, surprisingly, text not images. The magic of Unicode text encoding makes them possible, and the system notices and displays the associated glyph as an image. Still, at their heart, they're just a single unicode character.

Indeed, which is why if your system implements an older version of unicode than the system sending you the emoji, you can end up with a square block with a number inside instead of a pile of poop shaking its "head" at you.

Joined: Sun Apr 20, 2008 5:24 amPosts: 9743Location: North of the State of Jefferson

MonkeyBoy wrote:

Indeed, which is why if your system implements an older version of unicode than the system sending you the emoji, you can end up with a square block with a number inside instead of a pile of poop shaking its "head" at you.

What a shame.

It's really fun when you get a database in to the mix and send it a 4-byte emoji when the table was only configured to store up to 3-byte characters, and everything after the offending character is silently truncated. Whee!

Indeed, which is why if your system implements an older version of unicode than the system sending you the emoji, you can end up with a square block with a number inside instead of a pile of poop shaking its "head" at you.

Very interesting.

I always blamed Snow and/or Firefox for my seeing those boxes for unicode on such sites as tripadvisor.Tripadvisor says they don't support Firefox and used that as their explanation when I asked them and sent them a screen shot of what I saw in Ff.

I know what is represented in the box, and always assumed that that was all I could see because I was not au courant.But now I am uptodate and I'm still seeing boxes. (In Safari I don't see boxes btw.)Boxes like this:

Joined: Sun Apr 20, 2008 5:24 amPosts: 9743Location: North of the State of Jefferson

Those particular code points are in the Unicode "PRIVATE_USE_AREA" code block, which means there's no standard character that represents those values*. So if you can't see them, it's because the font you're viewing them in doesn't know about the characters. The font may not know about them because it's a fallback font, rather than one loaded from the web site. It might not be loaded from the web site because the site isn't offering it in a format the browser can use, or it otherwise might not be a font that's on your computer.

The emojis are standard characters that don't generally depend** on the font.

- Anonymous

* Although there have been a handful of gentleman's agreements about what's stashed in some of them that everyone is free to ignore.

** Although they are actually stored in a font file and you can override them.

Who is online

Users browsing this forum: Google [Bot] and 2 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum